SB2016082404 - Multiple vulnerabilities in Liferay Portal
Published: August 24, 2016
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Search portlet. A remote attacker can use search to access otherwise restricted information.
2) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when editing blog entry. The application may reset the blog entry's permission to the default permission. This may allow a user without the necessary permission to view a blog entry.
3) Improper Restriction of XML External Entity Reference (CVE-ID: N/A)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform XXE attacks.
The vulnerability exists due to PDFBox does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
4) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to web application stored LDAP credentials in log file, when log level is set to DEBUG. A local user with ability to view log files can obtain access credentials of web application users.
5) Open redirect (CVE-ID: N/A)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform phishing attacks.
The vulnerability exists due to insufficient sanitization of untrusted input data when performing redirects to external websites. A remote attacker can create a specially crafted URL and redirect users to malicious websites.
6) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the <aui:form> tag. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of the affected website.
7) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of the affected website.
8) Stored cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Monitoring. A remote attacker can trick the victim to visit a page with XSS payload and execute arbitrary HTML and script code in victim’s browser in security context of the affected website.
Remediation
Install update from vendor's website.
References
- https://issues.liferay.com/browse/LPS-67681
- https://issues.liferay.com/browse/LPS-67682
- https://issues.liferay.com/browse/LPS-67683
- https://issues.liferay.com/browse/LPS-67684
- https://issues.liferay.com/browse/LPS-67679
- https://issues.liferay.com/browse/LPS-67676
- https://issues.liferay.com/browse/LPS-67677
- https://issues.liferay.com/browse/LPS-67678
- https://issues.liferay.com/browse/LPS-67675